Come one, come all — today we officially begin a new series of posts here at Perishable Press: the public exposure, humiliation, and banishment of spammers, crackers, and other site attackers. Kicking things off for 2008: blacklist candidate number 2008-01-02!

Every Wednesday, I take a little time to investigate my 404 errorlogs. In addition to spam, crack attacks, and other deliberate mischief, the 404 logs for Perishable Press contain errors due to missing resources, mistyped URLs, and the occasional bizarre or even suspiciousbehavior of the search-engine robots. Whenever possible, I attempt to resolve a majority of the “fixable” errors, either by restoring missing resources, adding an htaccess redirect, or by any other means available.

Having exercised this rigorous maintenance practice for well over a year now, my 404 error logs are almost completely devoid of all “fixable” 404 errors, and are filled almost exclusively with spam attacks, XSS attempts, and other miscellaneous cracker nonsense. Fortunately, my site has only fallen victim to such espionage on one occasion, and on a different server.

These days, I go through great lengths to ensure the stability and security of my site, banning all scum-infested IP addresses via my htaccessblacklist. Most of the meatsacks I encounter are small-time, piddly-wink candy-apples, but occasionally a more serious disease-bag will stumble along. So, inspired by the helpful notices posted by A Daily Rant, I have decided to share some of the more depraved neanderthals with my audience (so kind, I know). Thus, in addition to the blacklist and blackhole data that I share with you, I am now also focusing on individual and small-group candidates for blacklisting. And so, in the philanthropic spirit of A Daily Rant, I am proud to expose blacklist candidate number 2008-01-02: IP address 75.126.85.215!

Synopsis

According to my 404 error log, IP address 75.126.85.215 attempted to access the non-existent resource, “/wp-admin/admin-ajax.php” 312 times on September 30th, 2007 and another 312 times on October 1st, 2007. During each attack, half of the access attempts were targeted at “/press/2007/wp-admin/admin-ajax.php” and the other half at “/press/wp-admin/admin-ajax.php”. The IP was blocked early October 2nd to prevent further attempts. Update: blocking this specific IP address seems to be effective — it is now January of 2008 and no similar attacks have yet occurred.

Discussion

Apparently, certain versions of WordPress suffer a potential security vulnerability related to an admin-related file named admin-ajax.php. Fortunately, at the time of the attack, I was running a version of WordPress that had fixed the vulnerability, however, that didn’t seem to stop our first official blacklist candidate from executing 624 access attempts. Candidate 2008-01-02’s attacks each lasted a duration of around 2 minutes, which translates to around 2.6 hits per second.

Details

Here are the first and last 404-log entries for both attacks. Here is the excerpt from September 30th 1:

Trust me, I do get the joke — thus the lighthearted tone of the article — and I am glad you also see the humor in the whole charade. I do, however, take seriously all attempts to exploit my site, regardless how “impersonal” they may be perceived. Sure, the warfare is automated and largely randomized, but that does not detract from the negative consequences associated with deliberate site attacks. The mindless spammers may have no idea who they are attacking, but I assure you that those of us forced to spend time, effort, and money to combat such idiocy understand the situation quite intimately.

As for the tools I use to keep an eye on such nefarious behavior, I am preparing a plugin that is designed to do the job. Basically, I am using a variety of predefined PHP variables to create a log for all 404 hits. You need a writable log file that is written to by a custom 404 error page that captures all the desired information. Much more on this process is on the way — stay tuned..

I do, however, take seriously all attempts to exploit my site, regardless how “impersonal” they may be perceived. Sure, the warfare is automated and largely randomized, but that does not detract from the negative consequences associated with deliberate site attacks.

Of course ! I underlined the pleasant part (I mean, you making fun of them) but these spammers are the modern scourge. I really wish we had a juridic way to deal with them.

As for the plugin you raise,that is gold news. Such a plugin would be a killer ! I’m waiting on the edge of my seat :)

Note: I’m sad not to be able to tell you what I mean in my comments. I’m french and even if I get used to reading english, writing is still a pain for me.

What I’m trying to say is that there wouldn’t be confusion between us sometimes if I could write in my native langage.

Oh, and I’d say that me enhancing my english thanks to you makes you kind of a teacher for me :D

@DeepFreeze: Yes, I am very fortunate to have been running a version of WP that was not vulnerable to that particular exploit, however, there are countless others targeted at nearly every version of WordPress available. But yes, I am indeed grateful!

@Louis: I agree, especially if you mean “juridic” in the sense of, “skinning them alive and feeding their still warm flesh to the dogs..” — they are indeed the modern day scourge (well said). As for the plugin, I have the 404 scripting stuff done, I just need to work it into the WP Admin. When finished, it will serve as an excellent way for WordPress users to keep a close eye on their 404 errors. I am excited about it as well :)

Great website, found searching Google for “PHP block IP address”. I’m having a guy from Russia (apparently) leave link requests for his sick porno-sites. I’m going to use your information to block him.

I got to this link by reading your latest blackhole post for bad bots. I wanted to get your opinion on something. In my perusal of my logs containing bad people or bots landing on my pages over three websites I noticed that almost all of them are running IE 6. Do you also notice this situation?

I refer to this because there is so much discussion about whether or not a person should design for IE 6 or not. I contend that the largest numbers of users people pick up in their logs are bad bots or spammers.

Great point! IE6 as identified via user-agent string is a common site in my error logs, but I can’t say that “almost all” are IE6. It’s a common spoof string for bad bots, so it seems safe to say that the usage numbers for IE6 are even lower than data suggests.

Projects

About the site

Perishable Press is the work of Jeff Starr, professional developer, designer, author, and publisher with over 10 years of experience.
Check out some of Jeff's books and projects, follow on Twitter, or learn more »

Fun fact: Perishable Press has been online since 2005, and features over 800 articles and more than 11,000 comments. More stats »